security problem with kdm settings
Hello, I believe I have found a bug in KDE which has minor security implications. Twice now I have found that my local customisations of KDM have disappeared, and this is very irritating. The default KDM settings are not appropriate for terminals in public areas because: (a) a complete list of valid users is displayed (b) the banner includes the word "Welcome", and I have often been advised that you should not welcome users until after they have passed authentication (whether this advice is good is beside the point!). I believe that the settings revert when I install other software; perhaps when SuSEconfig runs. The sequence of events was : (1) start kcontrol, then become root and customise the login process (2) success, login now OK. (2) I noted that my customisation had changed /opt/kde2/share/config/kdmrc so I copied this to a new file /etc/opt/kde2/share/config/kdmrc in the hope of making the change permanent (3) I installed other software (galeon and netscape6). (4) Customisations have been lost, and /opt/kde2/share/config/kdmrc has reverted to default (5) I copied /etc/opt/kde2/share/config/kdmrc to /opt/kde2/share/config/kdmrc and things are OK again (until next time). I may be doing some things wrong, because I can't find any documentation about customising KDE other than the painstakingly slow GUI method. /etc/kderc contains dir_config=/etc/opt/kde2/share/config:/opt/kde2/share/config though my experience suggests this has no effect. I am running kdebase-2.1.1-89 on SuSE 7.2 Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
(b) the banner includes the word "Welcome", and I have often been advised that you should not welcome users until after they have passed authentication (whether this advice is good is beside the point!).
I don't know about UK law, but here in the US this is good advice. Cases of unauthorized intrusion here have held that "Welcome" in fact means "welcome" and if anyone isn't welcome you need to put in a warning to that effect. So the advice over here is to put messages like "Unauthorized access is prohibited!" both before AND after authentication. It's put in after authentication because if someone has unauthorized access to a valid user account the warning is still needed, and it's also good there since if you log in via SSH you may not receive a pre-authentication message. - -Matt -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use http://www.pgpinternational.com iQA/AwUBO6tv4GCxI19Ln0TAEQILIwCfV98XSOSlCgiGVZTG5Vd+H8wfL+YAmgJD CGdCO/Jdu24ywLyFhLUo+Nzr =qI3x -----END PGP SIGNATURE-----
On Friday 21 September 2001 09:20, Bob Vickers wrote: [snip]
I believe I have found a bug in KDE which has minor security implications. [snip] /opt/kde2/share/config/kdmrc so I copied this to a new file [snip]
Hi, Maybe try 'chmod ugo-w /opt/kde2/share/config/kdmrc' ? If SuSEconfig is altering the file, this might prevent it. Or, if that doesn't work, you might copy the file (the one with your settings) to somewhere, get its md5sum, and then set up a cron job to check and compare the md5sum sigs on the backup and the main file - and replace the main file with the backup if the sigs are different. John
I have seen this once maybe twice usually after an upgrade on the KDE packages. SuSEconfig does not touch the kdmrc file if you watch as it runs it says that the KDMRC file has been changed/modified, leaving it untouched!!, placing my copy as kdmrc.suseconfig in same dir. These are not direct quotes of the SuSEconfig output but close enough to get the idea. I think you may have something else going on with your machine or KDE install, what version of KDE are you running and have you ever played with the login manager settings in Yast/Yast2 as this will cause problems(I know because I played with this once and broke kdm(really nice :-( ))? Bob Vickers wrote:
Hello,
I believe I have found a bug in KDE which has minor security implications. Twice now I have found that my local customisations of KDM have disappeared, and this is very irritating. The default KDM settings are not appropriate for terminals in public areas because: (a) a complete list of valid users is displayed (b) the banner includes the word "Welcome", and I have often been advised that you should not welcome users until after they have passed authentication (whether this advice is good is beside the point!).
I believe that the settings revert when I install other software; perhaps when SuSEconfig runs.
The sequence of events was : (1) start kcontrol, then become root and customise the login process (2) success, login now OK. (2) I noted that my customisation had changed /opt/kde2/share/config/kdmrc so I copied this to a new file /etc/opt/kde2/share/config/kdmrc in the hope of making the change permanent (3) I installed other software (galeon and netscape6). (4) Customisations have been lost, and /opt/kde2/share/config/kdmrc has reverted to default (5) I copied /etc/opt/kde2/share/config/kdmrc to /opt/kde2/share/config/kdmrc and things are OK again (until next time).
I may be doing some things wrong, because I can't find any documentation about customising KDE other than the painstakingly slow GUI method. /etc/kderc contains dir_config=/etc/opt/kde2/share/config:/opt/kde2/share/config though my experience suggests this has no effect.
I am running kdebase-2.1.1-89 on SuSE 7.2
Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
-- ____________________________________________________________ Long live the Penguin!!! Duane Kehoe Phone # 414.908.1814 Programmer/Analyst Fax # 414.908.1814 Weyco Group, Inc. Email: dkehoe@weycogroup.com
participants (4)
-
Bob Vickers -
Duane Kehoe -
John Pinder -
Matthew Thomas